5-Day Training Class:

with commercial and non-commercial products and tools from IBM, Recorded Future, Carbon Black, A10 Networks, Volatility and more . . .

This class is about Incident Response in a post-compromised environment.

Abstract:

If you give an attacker 100 days of time to move freely in your compromised environment, the evidence is fairly strong that you are pretty bad at Security Operations. On the contrary, if your Security Operations is constantly sending breach confirmations to the forensic team which turn out to be false positives, then again, the evidence is fairly strong that you are pretty bad at Security Operations. This is what is constantly happening in a lot of large organizations, banks and government institutions around the world.

In this class we will show you the major reasons why Security Operations is currently doing bad and what is required within Security Operations in order to produce high value results that can be consumed by a Threat Hunting and Forensic team. We will also focus on how to streamline security analysis, starting off with the initial triage within Security Operations to Threat Hunting to Forensics in case of an advanced targeted attack by quickly forming up a defense team that is able to collaborate directly from within IBM Resilient as the central hub for Incident Response.

The goal is to rapidly identify and respond to advanced adversaries that have gained a foothold in a compromised environment (post-compromise). The initial triage will be conducted by the Security Operations team (L1) which will hand-off valuable results to the Threat Hunting team (L2) which will in turn produce results that will be consumed by the DFIR team (L3) for a deep dive forensic analysis focusing on a few affected systems out of hundreds or thousands of systems.

By integrating Resilient with IBM QRadar, QRadar Network Insights and QRadar Advisor with Watson for detection, Carbon Black Response for Threat Hunting, a robust and actionable CTI from Recorded Future along with MITRE Att&ck for identifying the adversary's applied TTPs we will further demonstrate how the local relevance is expressed in STIX objects.

Integral parts of this class will be to demonstrate how security analysts will stay focused by using efficient playbooks as well as drastically reduce the time to respond by automation and orchestration techniques. The security analysts will be able to watch the movements of the intruder and limit their capabilities while the L2/L3 teams would be working on a strategy to completely remove the intruder's foothold (fully-fledged remediation, eradication and recovery) from the compromised environment.

This class includes a lot of hands-on labs that require to analyze and defend an organization's networked computer environment.

Integration with other open source forensic tools like Plaso, Log2timeline, etc.

Stage 1 Analysis details - Security Operations

Find CTI matched destination IPs and load corresponding CTI

Map out CTI to "MITRE Att&ck for Enterprise" matrix for identifying relevant TTPs

Populate incident data table with IOC and local relevance details

Verify CTI related entities

Create STIX bundles

Create and analyze STIX knowledge and relevance graphs

Stage 2 Analysis details - Threat Hunting

Load the Att&ck Navigator and activate the noted Intrusion-Set name (Threat Actor) in order to see all the relevant TTPs.

Open the two file attachments regading the knowledge and the relevance graph in the STIX visualization tool in seperate browser tabs (file:///C:/cti-stix-visualization-master/index.html)

Work with the knowledge graph and gather as much knowledge as possible about the Threat Actor/Group, their motivations, their used TTPs, malware and tools.

Based on the MITRE Att&ck website learn more about the indentified TTP details.

Read analyst reports provided by the CTI and MITRE Att&ck.

Work with the relevance graph and understand the local findings, their context and based on the acquired knowledge try to identify suspicious relationships. Document suspicious source-destination relationships, domain names and hashes from the relevance graph.

Switch to the Carbon Black Response UI and begin to search for corresponding processes to the findings under 6. E.g. work with a search filter "ipaddr:93.184.220.29 AND hostname:lenovo_an AND domain:rapidssl.com" AND alliance_score_attackframework:[1 TO *].

While conducting Threat Hunting as part of 8, follow the instructions specified in the individual TTP tasks.

Gather as much intelligence as possible by working through the MITRE TTP staging table.

When conducting the specific TTP analysis answer the key investigative questions provided in the TTP tasks. Please also answer the question "Which additional TTPs have been identified".